European firms will not work with companies that suffer data breach

More than half (58%) of European mid-sized firms refuse to do business with a company that had suffered a data breach, despite the fact that 41% believe data loss is just an inevitable part of daily business, a new study has revealed.

The 2013 Information Risk Maturity Index, compiled by storage and information management company Iron Mountain and PwC, shows that even as European companies are experiencing a 50% per year increase in data breaches, their approach to information management is defined by confusion, inconsistency and double standards.

This is the second annual publication of the Information Risk Maturity Index, which measures how prepared European mid-tier companies are to manage and respond to information risk.

The study found that, while 68% of companies recognise that a responsible attitude to information is critical to business success, 47% say their Board does not see data protection as a big issue and 43% say their employees hold the same view.

In addition, while 44% expect the risk of a data breach to increase, 60% believe that cutting costs is more important than reducing exposure to information risk. Less than half (45%) have an information risk strategy in place and measure its effectiveness, and 38% have a plan but do not know whether it works or not. More than half (54%) say the pace of change in information risk is so staggering that they will never keep up with it.

Christian Toon, head of information risk, Iron Mountain, said: "There is a growing gap between attitude and action at a time of increasing complexity and rising threats to information security. Businesses are unsure what to do or where to turn. It is critical that they adopt a responsible approach to information management, not just to deserve and preserve their brand reputation and customer loyalty, but to ensure that other firms will want to keep doing business with them."

PwC surveyed senior managers at 600 European businesses with 250 to 2,500 employees in the legal, financial services, pharmaceutical, insurance and manufacturing and engineering sectors.

The results, assessed for France, Germany, Hungary, the Netherlands and Spain show that the average Information Risk Maturity Index score for European companies in 2013 has increased to 56.8, compared to 40.6 in 2012, set against a score of 100. In 2012, the UK held the position of Europe’s worst performer in managing information risk, occupying the lowest index score. In 2013, it has moved up the rankings, overtaking Spain and France to fourth best performer, just behind Germany. The ‘people’ and ‘security’ based measures amongst the UK mid-market have increased in comparison with 2012, but the UK mid-market continues to struggle with the communications and strategic elements required to be fully equipped for information risk.

While the index suggests significant improvement has been made, businesses in the UK – indeed all those across Europe – have a long way to go before they can achieve truly acceptable levels of information risk management.

Claire Reid, PwC Risk Assurance partner, said: "Too many European companies continue to undervalue their information assets and overestimate their ability to protect them. This is no longer a lack of awareness; it’s a lack of action. Information underpins market position and customer confidence, and any kind of information loss can deliver catastrophic reputational damage.

"As information breaches increase at a spectacular pace, European companies need to understand that failing to take action to safeguard information means they will almost certainly become a victim."